One of the largest ISPs in Europe distributed millions of vulnerable devices to their customers without any security checks. Now these devices are up and running all over Europe and can provide Internet access and jump hosts for hackers and criminals. In this presentation the speaker will show you the whole process of a proper CPE device testing with its pitfalls and joyrides. During this test a handful of 0days were discovered and these will be presented. It will be shown how an attacker with zero-knowledge can log into a private network by getting the factory default WPA passphrases from MAC addresses or even worse, the changed passphrase! The other 0day brings a root shell with plenty of buffer overflows, factory backdoors in the firmware. All vulnerabilities’ root cause will be presented to the audience with good laughs.

1. 0DAY HUNTING
A.K.A.
THE STORY OF A PROPER CPE TEST
Balazs Bucsay - Research Director @ MRG Effitas
OSCE, OSCP, OSWP, GIAC GPEN
@xoreipeip # http://rycon.hu

2. BIO / BALAZS BUCSAY
• Hungarian hacker
@xoreipeip

4. BIO / BALAZS BUCSAY
• Hungarian hacker
• Research Director @ MRG Effitas
• Strictly technical certificates: OSCE, OSCP,
OSWP and GIAC GPEN
• Previously worked as an ethical hacker
• Started with ring0 debuggers and
disassemblers in 2000 (13 years old)
• Major project in 2009: GI John
@xoreipeip

5. • Webpage: http://rycon.hu
• Twitter: @xoreipeip
• Linkedin:
https://www.linkedin.com/in/bucsayb
BIO / BALAZS BUCSAY
@xoreipeip

6. PRESENTATIONS
• Talks around the world: • Atlanta (US)
• Moscow (RU)
• London (UK)
• Oslo (NO)
• Vienna (AT)
• Budapest (HU)
• Latest presentation: • Chw00t: Breaking unices’ chroot solutions
• https://github.com/earthquake/chw00t
• Slides: http://bit.ly/1T78dfM
@xoreipeip

7. WORK VS PASSION
• This presentation and findings are not related to my daily work
• Did all this research in my free time
• Don’t like black boxes and closed source
• Although if you are interested in testing your device contact us!
@xoreipeip

8. • None of the vendors care about security
• I was afraid of all the juicy RCE bugs are gone now
• Truth is: nobody cares, old bugs are there and will be there
• Most of the embedded devices are running on old 2.4 kernels
• Worked for the second largest mobile operator doing CPE tests
• Found several RCE, Auth bypasses, XSSs in different devices
CUSTOMER PREMISES EQUIPMENT - CPE
@xoreipeip

9. • Not gonna mention the ISP’s name
• Huge ISP in Europe, it has subsidiaries at least in 8 EU countries
• Distributed to more than 6 million customers around Europe
(based on the ISP’s website)
• Mostly covered by the following devices
TODAY’S DEVICE
@xoreipeip

10. CISCO EPC3925
@xoreipeip

11. CISCO EPC3925 - PWNED
@xoreipeip

12. TECHNICOLOR TC7200
@xoreipeip

13. TECHNICOLOR TC7200 - PWNED
Nice walk-through by Peter Geissler (@bl4sty) on Hack in The box
Amsterdam: http://bit.ly/215GwaN @xoreipeip

14. TECHNICOLOR TC7200 - PWNED
• Blasty dumped the memory
• Reverse engineered the ESSID and WPA2-PSK generator
• PSK generator based on ESSID: http://bit.ly/1UnMvTT
(TC7200 only)
Long story short:
@xoreipeip

15. UBEE EVW3226 - PWNED??
@xoreipeip

16. UBEE EVW3226 - PWNED??
• People started to play seriously with the device around January
of 2016
• 0day exploit released (physical access needed) - did not work
for me
• Flash content was dumped and uploaded in the same month
• SEC Consult identified overlapping vulns: http://bit.ly/25KdjFK
• Yolosec released a tool as well: http://bit.ly/29isodH
@xoreipeip

17. THE PLAN
• GOAL 0: get the dump of the filesystem
• GOAL 1: get full access to the device
• GOAL 2: get unauthenticated command/code execution
• GOAL 3: get access to the network
• …
• Profit
@xoreipeip

18. GOAL 1: GET FULL ACCESS TO THE DEVICE
• Blackbox approach did not succeed
• Filesystem dump was released
• Device is using lighttpd with a custom .cgi binary
• Fired up IDA Pro to look for injection points
@xoreipeip

19. JUST A FEW TO MENTION
@xoreipeip

20. JUST A FEW TO MENTION
@xoreipeip

21. JUST A FEW TO MENTION
@xoreipeip

22. CAN YOU SPOT IT?
@xoreipeip

23. RCE AS IT’S BEST

24. EXPLOITATION
• The code can be invoked by starting a certain feature of the device
• Two injection points
• ESSID: max 32 ASCII character - although does not accept
everything
• PSK: max 64 ASCII character - accepts all necessary characters
• Admin must be authenticated and connected to the internal
network
@xoreipeip

25. *BA DUM TSSS*
@xoreipeip

26. GOAL 2: FIND UNAUTHENTICATED RCE/BOF
• Although we have full access to the device, we still need an
admin user to exploit it
• Authentication bypass can be a solution
• Unauthenticated RCE or BOF can help too
@xoreipeip

27. CAN YOU SPOT IT?
@xoreipeip

28. VANILLA STACK OVERFLOW
Pros:
• Unauthenticated like I wished for
• Trivial? vanilla stack overflow
Cons:
• Big endian Linux on ARM - no public shell code
• No experience with ARM
• No qemu-system for big endian ARM, only qemu-user
@xoreipeip

29. SHELLCODING
• Compiling big endian toolchain with Buildroot
• Compiling static gdbserver for the device
• Debugging the binary for exploitation
• Writing shellcode based on tutorials and others
• Linux ARM big endian bind shell code merged into Metasploit
https://github.com/rapid7/metasploit-framework/pull/6959
@xoreipeip

30. IN THE GDBSERVER
• No next or nexti, must put breakpoints on every instruction
• Most of the features are gone
• stack is not executable - no features, did not check…
• turns off stack randomisation (not vanilla anymore) - had to
write ROP
• turns off ASLR (infoleak needed)
@xoreipeip

31. EPIC FAIL
• Only 11bit is randomised, 1/2048 chance to hit the address
• Webserver forked the process, new memory address every time
• Watchdog restarts the web server
• Then realised that lighttpd filters most of the characters ->
unexploitable
@xoreipeip

32. AUTHENTICATION BYPASS
• Found by Search-lab
• Makes authenticated RCE to unauthenticated
• http://www.search-lab.hu/advisories/122-ubee-evw3226-
modem-router-multiple-vulnerabilities
@xoreipeip

33. GOAL 3: GET ACCESS TO THE NETWORK
• Fallback options:
• admin:admin account still could work in default cases
• previously generated backup can be downloaded
• We only need access to the internal network to get full access
• Let’s dig the binaries
@xoreipeip

34. BACK OF THE BLACKBOX
@xoreipeip

35. FEW SYMBOLS
FROM THE
BINARIES
Some of these could be
interesting
@xoreipeip

36. WPA2-PSK GENERATION ALGORITHM
@xoreipeip

37. WPA2-PSK, SSID, WPS PIN GENERATION ALGORITHM
• Based only on MAC address, nothing else
• Depends on whether it is 5G or 2.4G
• MAC can be sniffed
• WPS-PIN generation is based on the same idea
• Algorithm released 3rd of July by Yolosec
@xoreipeip

38. SURPRISE SURPRISE!
WPS-PIN ENABLED BY DEFAULT
@xoreipeip

39. GETTING INTO THE NETWORK
• What if the user changed the SSID?
@xoreipeip

40. GETTING INTO THE NETWORK
• If the user changed the SSID: you can still get the passphrase
@xoreipeip

41. GETTING INTO THE NETWORK
• If the user changed the SSID: you can still get the passphrase
• What if the user changed the PSK?
@xoreipeip

42. GETTING INTO THE NETWORK
• If the user changed the SSID: you can still get the passphrase
• If the user changed the PSK: let’s generate the WPS-PIN
• All of these can be generated from the MAC address
• From nothing to root in 2 minutes (default credentials)
@xoreipeip

43. DEMO
@xoreipeip

44. THE VENDOR HELPS YOU
it’s easier when you have a map - blue dots are the modems
@xoreipeip

45. Authenticated firmware upgrade^W^W^W buffer overflow
WHO NEEDS MORE?
@xoreipeip

46. and if you are too lazy to crack a password…
WHO NEEDS MORE?
@xoreipeip

47. and if you are too lazy to crack a password…
WHO NEEDS MORE?
@xoreipeip

48. FURTHER VULNERABILITIES
• Previously requested backup can be downloaded without
authentication
• Plaintext passwords all over the device (nvram, heap, configs)
• Backdoor users in passwd and shadow files
• Command injections and buffer overflows
@xoreipeip

49. IMPACT
• Few million customer is potentially vulnerable
• Anybody can access their network, get root in a few minutes
• Botnets, jump hosts, tor gateways, etc.
• Newest Snowden leaks: secret services use MiTM on routers
• You cannot be sure that you don’t have a device like this at home
!
!
@xoreipeip

50. Balazs Bucsay - @xoreipeip
Thank you for your attention!
!
Q&A